IPSec VTI Virtual Tunnel Interface

This topic is to discuss the following lesson:

1 Like

Hi Rene,
Hopefully, you are fine…Beside study everyday I am checking your new lesson and forum as well, After taken membership i am able to see you are continually adding new lessons in CCIE Routing & Switching Written like:

* IPSec VTI Virtual Tunnel Interface April 2018
* BGP PIC (Prefix Independent Convergence) Core & Edge March 2018
* BGP Multipath load sharing iBGP and eBGP March 2018
* BGP Aggregate AS-SET March 2018
* IPv6 RA Guard March 2018
* IPv6 over MPLS 6PE/6VPE March 2018
* IPv6 DHCPv6 Prefix Delegation February 2018
* Multicast Tunnel RPF Failure February 2018
* Multicast IGMP Proxy February 2018
* Multicast PIM Sparse-Dense Mode January 2018
* Multicast PIM Snooping January 2018

Which is very helpful for us…but i have one question above topics are from CCIEV5 syllabus or u are just preparing slowly slowly of all CCIE content means still the CCIE content is not fully ready ?
Dont get me wrong Rene this is my general question you are our trainer so as student i can ask my trainer :smiley:

Thanks & Regards,
Arindom

Hi Arindom,

There was a small list of CCIE R&S written topics that I still didn’t have so right now, I’m working on completing those :slight_smile: Just a few more and then the written course is 100% according to the blueprint.

Rene

Hi Rene,
Thanks for replying…
Yes yes sure All the best Rene:+1: we believe your lesson will be best for CCIE technology learning,I will take your CCIE lession as well.but due to some financial problem its not effortable for me to take annual membership but i will continue with monthly membership.

Thanks & Regards,
Arindom

Isn’t IPSec tunnel mode not supporting multicast?

How does EIGRP establishes neighborship within these routers?

Hello Ray

It is true that IPsec alone does not support multicast. However, if you want to create an EIGRP neighbourship over IPsec, you must run a GRE tunnel in conjunction with IPsec. GRE supports multicast so this would solve the problem.

Another option is to use an EIGRP static neighbour. This automatically makes EIGRP use only unicast for communication between neighbours.

I hope this has been helpful!

Laz

Thank u Laz! however in this lesson, Rene did not use either GRE tunnel or EIGRP static neighbor?

Hi Rene/Laz,
Happy new year, let imagine that we don’t have any control on spokes routers and they belong to different organizations and they need to access to some of our internal networks, does you think a better way to achieve that it’s trough the routing or trough ACLs ?
Best regards,
Imel

Hello Thierry

From a technical standpoint, if the choice was between those two, using ACLs would be a better choice. The purpose of ACLs is to filter traffic, and you can most effectively control what traffic you allow and what traffic you disallow using them. Routing is more cumbersome to use as a filtering mechanism, and it is not nearly as powerful. Needless to say, routing has a whole different purpose, and should not be used in such a fashion, as it could cause unintentional and unpredictable changes to traffic patterns.

IPSec VTI, and VPN technologies in general, are features that are best used when you have control over both the spokes and the hub devices. If you don’t, it’s still doable, but there are more administrative issues involved. If you are an organization that wants to offer customers secure access to your internal resources, the most appropriate technology to use is MPLS L3 VPN. It would provide you with the most scalable solution, and provide you with the tools necessary to achieve both security and routing among remote sites. You can find out more about that at the following lesson:

I hope this has been helpful!

Laz

1 Like

So I’ve managed to duplicate both this one as well as the original IPSEC GRE tunnel (which as pointed out earlier requires we know a lot about each side whereas this is more dynamic). One thing I’m trying to accomplish and have been unable to do with either setup (IPSEC VTI or IPSEC GRE) is to tunnel two VRFs through the public connection. The tunnel is not in a VRF (its the global routing table) so I don’t know how to do the “vrf tunnel” to get through either of the above mentioned tunnels… Suggestions? Effectively I have three different networks (2 VRFs plus global table) that I need to get from one side of a tunnel to the other…

Hello Marcos

In order to achieve what you are describing, you will have to use a feature called VRF-aware IPSec. This is a feature that allows you to route multiple VRFs over a single tunnel. You can find out more information about it at this Cisco documentation:


Some more condensed information can also be found here:

I hope this has been helpful!

Laz